Software application delivery and launching system

ABSTRACT

One embodiment allocates a first virtual memory; receives executable code of a first piece of software; writes the executable code of the first piece of software directly into the first virtual memory; marks the first virtual memory as executable; executes the executable code of the first piece of software directly from the first virtual memory; and downloads and executes executable code of a second piece of software as facilitated by the executable code of the first piece of software.

TECHNICAL FIELD

The present disclosure generally relates to the distribution of computersoftware over a computer network and more specifically relates todeploying computer software over a computer network from a server to aclient for execution on the client without installing any portion of thesoftware on the client.

BACKGROUND

Computer software may be distributed to individual computer systems invarious ways. For example, a piece of software may be stored on aCompact Disc (CD) or a Digital Versatile Disc (DVD). A person may putsuch a disc in a disc drive of a computer system to install the piece ofsoftware stored on the disc onto the computer system. More recently,computer networks provide another channel for software distribution. Aperson may download a piece of software from a remote computer system(e.g., a server) over a computer network (e.g., the Internet) onto hisown computer system (e.g., a client). Often, the file downloaded overthe network may be an installation suite, script, or executable in whichthe piece of software is embedded. The person may save the downloadedfile on the hard drive of his computer system, either at a permanentlocation or in a temporary directory, and run the saved file to installthe piece of software on his computer system.

SUMMARY

The present disclosure generally relates to the distribution of computersoftware over a computer network and more specifically relates todeploying computer software over a computer network from a server to aclient for execution on the client without installing any portion of thesoftware on the client.

Particular embodiments allocate a first virtual memory; receiveexecutable code of a first piece of software; write the executable codeof the first piece of software directly into the first virtual memory;mark the first virtual memory as executable; execute the executable codeof the first piece of software directly from the first virtual memory;and download and execute executable code of a second piece of softwareas facilitated by the executable code of the first piece of software.

These and other features, aspects, and advantages of the disclosure aredescribed in more detail below in the detailed description and inconjunction with the following figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example method of deploying a piece of computersoftware from a server to a client for execution on the client withoutinstalling any portion of the software on the client.

FIG. 2 illustrates an example method of streaming a piece of computersoftware from a server to a client for execution on the client.

FIG. 3 illustrates an example network environment.

FIG. 4 illustrates an example computer system.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

The present disclosure is now described in detail with reference to afew embodiments thereof as illustrated in the accompanying drawings. Inthe following description, numerous specific details are set forth inorder to provide a thorough understanding of the present disclosure. Itis apparent, however, to one skilled in the art, that the presentdisclosure may be practiced without some or all of these specificdetails. In other instances, well known process steps and/or structureshave not been described in detail in order not to unnecessarily obscurethe present disclosure. In addition, while the disclosure is describedin conjunction with the particular embodiments, it should be understoodthat this description is not intended to limit the disclosure to thedescribed embodiments. To the contrary, the description is intended tocover alternatives, modifications, and equivalents as may be includedwithin the spirit and scope of the disclosure as defined by the appendedclaims.

Computer software may be distributed from one computer system (e.g., aserver) to another computer system (e.g., a client) over a computernetwork (e.g., the Internet). In fact, an increasing number of softwaredevelopers, manufactures, and distributors consider computer networks asa convenient, fast, and cost-effective channel for softwaredistribution. For example, a person often is able to download the latestversion of a piece of computer software developed by a company from thatcompany's website. In a typical scenario, the person may load a web pagethat contains the download link to the piece of software in a webbrowser executed on his computer system, and then click the downloadlink provided in the web page. This usually causes a file to bedownloaded to the person's computer system. The file may be aninstallation script or executable or the executable code of the softwareitself. The person may save the file on the hard drive of his computersystem. If the file is an installation script or executable, the personmay run the downloaded file to install the software onto his computersystem. On the other hand, if the file is the executable code of thesoftware, the person may run the software directly (e.g., by doubleclicking on the executable file).

Having to save or install the software programs downloaded over thecomputer networks onto the hard drive of a computer system in order toexecute the programs may be inconvenient or cumbersome at times. Forexample, first, saving downloaded files to a hard drive and installingsoftware onto a computer system often take time. Furthermore, if a pieceof software is large in size (e.g., Adobe® PDF Reader®), theinstallation process may take a significant amount of time. The user ofthe computer system may have to go through several steps (e.g.,installation, setup, etc.) before he can execute the downloadedsoftware. Second, saving files to a hard drive and installing softwareonto a computer system use up storage capacity (e.g., hard drive space)of the computer system. Sometimes, a computer system (e.g., a netbook ornotebook computer) may not have sufficient storage space for all of thesoftware its user wishes to install onto the computer system. Third,software developers may update their software and release newer versionsof the software from time to time. The newer versions of a piece ofsoftware usually are of a better quality than the older versions. Thus,people may wish to keep their software relatively up-to-date. However,to update a piece of software, a person often needs to uninstall theolder version of the software currently installed on his computer systemand then download and install the newer version. In addition, somesoftware developers may want to deliver software-based applicationservices to users that do not require such installations as they wouldlike to avoid having any downloaded code remain on permanent datastorage devices after the initial, or any subsequent, use.

To address some of these issues, particular embodiments enable a user ofone computer system (e.g., a client) to download computer softwareprograms from another computer system (e.g., a server) over a computernetwork (e.g., the Internet) for execution on the user's computer systemwithout having to store or install the software programs or any othertypes of software onto any permanent storage (e.g., the hard drive) ofthe user's computer system. In other words, the user may download apiece of software onto his computer system and execute that piece ofsoftware on his computer system. After the execution of the software iscompleted (e.g., after the user exits the software), there is no traceof the software or any other related software left on the user'scomputer system.

For purpose of clarification, hereafter, the computer system to whichthe software is downloaded and on which the software is executed isreferred to as the “client”, and the computer system from which thesoftware is downloaded is referred to as the “server”. However, oneskilled in the art may appreciate that the embodiments described in moredetail below may be suitably applied to any two computer systems (e.g.,two servers, two clients, or a server and a client). In addition, thepiece of software downloaded from the server to the client and executedon the client (i.e., the software that a person wants to use) isreferred as the target software.

In particular embodiments, another piece of software, hereafter referredto as the “stub software” or simply a “stub”, may facilitate thedownloading and the execution of the target software. In particularembodiments, the stub may be implemented using any suitable programminglanguage and compiled as computer executable code. In particularembodiments, the executable code of the stub may be stored on the serverand downloaded to the client for execution using a client-side scriptwritten in any suitable programming language, such as, for example andwithout limitation, Java, JavaScript, Python, etc., which may beexecuted in a web browser. For example, the client-side script may beincluded in a web page as a clickable link. To access the client-sidescript, a user may load the web page containing the client-side scriptin a web browser (e.g., Microsoft Internet Explorer, Mozilla Firefox, orGoogle Chrome) residing on the client and then click the link to theclient-side script provided in the web page. This causes the client-sidescript code to be transmitted to the web browser for execution by theweb browser.

FIG. 1 illustrates an example method of deploying a target software froma server to a client for execution on the client through the use of astub. In particular embodiments, once the client-side script is executedin a web browser, the script accesses a foreign function libraryresiding on the client, as illustrated in STEP 100. Many programminglanguages provide foreign function interfaces. A foreign functioninterface is a mechanism by which a software program written in oneprogramming language can invoke routines or make use of services writtenin another programming language (e.g., functions provided by anoperating system or software library). Typically, the functionsimplementing the foreign function interface of a programming languageare included in a foreign function library provided by that programminglanguage. For example, Python provides a foreign function library calledthe “ctypes package”; Java provides Java Native Interface and JavaNative Access that enable Java programs to access native sharedlibraries; and JavaScript provides JavaScript Native Interface (JSNI),also called JavaScript Foreign Function Interface (JSFFI). Some webbrowsers (e.g., Mozilla Firefox) also support native or foreign functionaccess for code executing in these web browsers.

Depending on the specific programming language in which the script codeis written, the script may invoke the corresponding foreign functionlibrary of that programming language. For example, with Python, there isa function called “load_library” that may be used to load a specificlibrary. Microsoft Windows provides a function called “LoadLibrary” forloading a specified module into the address space of the callingprocess.

In particular embodiments, through the appropriate foreign functioninterface, the script may obtain a pointer to a memory allocationfunction residing on the client, as illustrated in STEP 102. Thespecific memory allocation function available on the client may dependon the operating system of the client or the software librariesavailable on the client. For example, Microsoft Windows provides afunction called “VirtualAlloc” for reserving or committing a region ofpages in the virtual address space of the calling process. C and C++programming languages both provide a library function called “malloc”for performing dynamic memory allocation of a specified size.

In particular embodiments, using the memory allocation function (e.g.,“VirtualAlloc”), the script may allocate a specific amount of memory, asillustrated in STEP 104. The allocated memory should be sufficient forthe executable code of the stub. In particular embodiments, theexecutable code of the stub may be downloaded from the server andwritten into the allocated memory, as illustrated in STEP 106. Inparticular embodiments, the stub may require some library functionscontained in various shared libraries. For example, with MicrosoftWindows, the share libraries are called dynamic-link libraries (DLLs).The shared libraries containing the functions needed by the stub may beloaded using an appropriate library loading function (e.g.,“LoadLibrary” or “load_library”).

In particular embodiments, the memory in which the executable code ofthe stub is written is marked as executable memory. For example,Microsoft Windows provides a mechanism called data execution prevention(DEP), which is a set of hardware and software technologies that performadditional checks on memory to help protect against malicious codeexploits. Briefly, all memory locations in a process are marked asnon-executable unless the location explicitly contains executable code.Thus, the memory locations where the executable code of the stub arcwritten need to be marked as executable in order for the stub code to beexecuted. With Microsoft Windows, specific memory locations may bemarked as executable by setting an appropriate flag or attribute (e.g.,marking the allocated memory as “PAGE_EXECUTE”, “PAGE_EXECUTE_READ”,“PAGE_EXECUTE_READWRITE”, or“PAGE_EXECUTE_WRITECOPY”).

In particular embodiments, the script may obtain a pointer to theexecutable code of the stub in the allocated memory, as illustrated inSTEP 110. In particular embodiments, the executable code of the stub maybe launched directly from memory, as illustrated in STEP 112. Inparticular embodiments, the stub may facilitate the download andexecution of the target software on the client, as illustrated in STEP114. This process is described in more detail below in connection withFIG. 2.

In particular embodiments, after the stub completes its tasks (i.e.,facilitating the download and execution of the target software on theclient), the script may obtain a pointer to a memory de-allocationfunction residing on the client, again through the appropriate foreignfunction interface, as illustrated in STEP 116. The specific memoryde-allocation function available on the client may depend on theoperating system of the client or the software libraries available onthe client. For example, Microsoft Windows provides a function called“VirtualFree” for releasing, de-committing, or releasing andde-committing a region of pages within the virtual address space of thecalling process. C and C++ programming languages both provide libraryfunctions such as “dealloc” and “free” for freeing up (i.e.,de-allocating) allocated dynamic memory.

In particular embodiments, using the memory de-allocation function(e.g., “VirtualFree”), the script may de-allocate the memory in whichthe executable code of the stub is written, as illustrated in STEP 118.Subsequently, this memory space may be used for other purposes and otherdata may be loaded into the same memory space, overriding the executablecode of the stub. Thus, after the memory locations where the executablecode of the stub is written are freed (i.e., de-allocated), theexecutable code of the stub is gone (e.g., replaced or removed) from theclient. There is no trace of the executable code of the stub left on theclient, as the stub is not saved in or installed on any permanentstorage (e.g., the hard drive) of the client.

In particular embodiments, instead of explicitly de-allocating thememory locations where the executable code of the stub is written, thememory locations may be freed up implicitly. For example, if the userexists the web browser or leaves the web page containing the client-sidescript, all memory locations involved with the script are freed up,which means the memory locations where the executable code of the stubis written are also freed up.

In particular embodiments, once executed directly from the allocatedmemory on the client, the stub facilitates the downloading and executionof the target software. In particular embodiments, the stub mayestablish a network connection between the client and a server where thetarget software is stored and download the executable code of the targetsoftware from the server over the network connection to the client. Inparticular embodiments, the executable code of the target software maybe embedded in a data stream sent from the server to the client over thenetwork connection. Upon receiving the data stream, the stub may extractthe executable code of the target software and load it directly into theRandom-Access Memory (RAM) of the client for execution on the client.The target software is not saved in or installed onto any permanentstorage (e.g., the hard drive) of the client, same as the stub. Once thetarget software completes its execution on the client, the RAM space inwhich the executable code of the target software is loaded may bereleased and the target software no longer exists anywhere on theclient.

The target software may be downloaded and launched on the client withouthaving to be saved or installed on the client, which may decrease theusage of the storage capacity of the client. Furthermore, since thetarget software is downloaded just prior to its execution on the client,the latest or any desired version of the target software may be obtainedeach time the target software is downloaded and launched.

FIG. 2 illustrates an example method for the stub to facilitate thedownloading and execution of the target software on the client. Inparticular embodiments, the target software being downloaded is anapplication program. The executable code of the target software may bestored on a server, which may be the same server where the executablecode of the stub is stored or a different server.

In particular embodiments, the stub may establish a network connectionbetween the client and the server where the executable code of thetarget software is stored, as illustrated in step 200. The stub may takeover an existing connection already established between the server andthe client (e.g., the connection established by the web browser) orestablish a new connection. If the stub establishes a new networkconnection, the new connection may be established using any suitablehandshaking methods between two computer systems coupled to a computernetwork. For example, the stub executing on the client may send aconnection request to the server, and the server, upon receiving theconnection request, may send a response back, indicating whether theconnection request is accepted or rejected. If the server has acceptedthe connection request, the network connection may be establishedbetween the client and the server accordingly. In particularembodiments, communications between the server and the client may useany suitable communication protocol, such as, for example and withoutlimitation, Hypertext Transfer Protocol (HTTP), User Datagram Protocol(UDP), or Transport Control Protocol (TCP).

In particular embodiments, there may be multiple software programsstored on the server or there may be multiple versions of a particularsoftware program stored on the server, which may be downloaded toindividual clients. In particular embodiments, each version of eachpiece of software that may be downloaded from a server to a client by astub executing on the client may be identified by a unique identifier.This unique identifier may be used to notify the server which specificpiece of software a client's stub wishes to download. In particularembodiments, each piece of downloadable software may be considered anetwork resource. Thus, a particular piece of downloadable software maybe identified by its unique network path or Uniform Resource Identifier(URI). The stub may reference to the target software using its URI.

Sometimes, a piece of software may have multiple versions. In particularembodiments, the stub may determine the most suitable version of thetarget software for the client. For example, there are multiple versionsof the Microsoft Windows operating systems (e.g., Windows XP, WindowsME, or Windows 7) as well as 32-bit operating systems and 64-bitoperating systems. The stub may examine the operating system of theclient to determine the specific version of the target software mostcompatible with the operating system of the client. If the operatingsystem of the client is a 32-bit operating system, then the stub mayidentify a 32-bit version of the target software. On the other hand, ifthe operating system of the client is a 64-bit operating system, thenthe stub may identify a 64-bit version of the target software.

In particular embodiments, when requesting a network connection with theparticular server where the target software is stored, the stub may sendthe unique identifier of the target software to the server together withthe connection request or as a part of the connection request.Alternatively, in particular embodiments, the stub may send theidentifier of the target software to the server as a separate requestafter the connection between the server and the client has beenestablished. The server may then determine which particular piece ofsoftware it should transmit to the requesting client. The process may besimilar to invoking a data stream via a web browser (e.g., by clickingon a URL or URI link to a downloadable file contained in a web page).

In particular embodiments, the server may transmit a data stream to therequesting client, and more specifically, to the stub executing on therequesting client, over the network connection, as illustrated in step202. The network connection may be a TCP connection, a UDP connection, aHTTP connection, or any other suitable connection. In particularembodiments, the data stream may be a video stream or an audio stream.In particular embodiments, the executable code of the target softwarerequested by the stub may be embedded in the data stream as one or moredata packets. For example, the target software may be a video decoderthat receives a video stream encoded by a video codec, decodes the dataand renders the video data on a display of the client. As anotherexample, the target software may be a computer game.

In particular embodiments, the executable code of the target softwaremay be embedded in the data stream. In particular embodiments, theexecutable code of the target software may be machine code or nativecode and may be platform-dependent. In particular embodiments, theexecutable code of the target software has been complied to run on theplatform of the particular client requesting the target software (e.g.,based on the client's hardware architecture and operating system).

In particular embodiments, the data stream may include two portions. Inparticular embodiments, the first portion of the data stream (i.e. thebeginning of the data stream) may contain the executable code of thetarget software. In particular embodiments, the executable code of thetarget software may be optionally compressed using any suitablecompression methods. For example, a lossless compression method, such aszip or gzip, may be used to compress the executable code of the targetsoftware. In particular embodiments, the executable code of the targetsoftware may be embedded within a video stream. As most types of videostreams are generic container formats, data, and more specifically, theexecutable code of the target software, may be embedded in such a videostream. In particular embodiments, the first portion of the data streammay also include operational variables and parameters, such as aparameter that indicates the size of the memory space (e.g., RAM memoryspace) needed to load and execute the executable code of the software.

In particular embodiments, the second portion of the data stream mayoptionally contain additional data that may be consumed by the targetsoftware during its execution. In particular embodiments, the additionaldata may be optionally encoded or compressed using any suitable encodingor compressing methods and transmitted as one or more data packets.Again, if the data stream is a video stream, then the additional datamay be encoded using a video encoding method, such as MPEG encoding.

In particular embodiments, upon receiving the data stream, the stub mayaccess the first portion of the data stream to extract the executablecode of the target software embedded therein. If needed, the stub maydecode or decompress the extracted executable code of the targetsoftware. The decoding or decompressing methods used by the stub maycorrespond to the encoding or compressing methods used to encode orcompress the executable code of the target software. For example, if theexecutable code of the target software has been compressed using asuitable compression algorithm (e.g., a lossless compression algorithm),the stub may decompress it using a corresponding decompressionalgorithm. Similarly, if the executable code of the target software hasbeen encoded using a suitable encoding algorithm, the stub may decode itusing a corresponding decoding algorithm. In addition, in particularembodiments, the stub may also access the first portion of the datastream to extract the parameters that indicate the size of the memoryspace needed to load and execute the executable code of the targetsoftware.

In particular embodiments, to prevent unauthorized or malicious softwarefrom being downloaded and executed on the client, the stub may validatethe executable code of the target software extracted from the firstportion of the data stream using any suitable validation methods, asillustrated in step 204. In particular embodiments, a white list oftrusted sources (e.g., domain names or IP addresses of trusted servers)may be provided with the stub. Upon receiving a piece of software, thestub may compare the source (e.g., the server or website) transmittingthe software against its white list. Only software transmitted by thetrusted sources on the white list may be executed on the client.Software received from sources not on the white list may be discarded orquarantined. In particular embodiments, the executable code of thetarget software embedded in the first portion of the data stream may besigned and associated with a digital certificate. The stub may validatethe executable code of the target software using its associated digitalcertificate.

If the executable code of the target software is not valid (step 206,“NO”), then the executable code of the target software is not launchedon the client and may be discarded. On the other hand, if the executablecode of the target software is valid (step 206, “YES”), then, inparticular embodiments, the stub may allocate a sufficient amount ofmemory on the client for loading and executing the executable code ofthe target software, as illustrated in step 208. In particularembodiments, the amount of memory allocated may not be less than thesize of the memory space needed to load and execute the executable codeof the target software, as indicated by the variable included in thefirst portion of the data stream. In particular embodiments, theallocated memory may be dynamic memory, virtual memory, or RAM of theclient.

Most operating systems provide library functions that enable anapplication program to allocate and dc-allocate virtual or dynamicmemory and perform other types of memory-related functions duringruntime. In particular embodiments, the stub may, through an appropriateforeign function library, invoke appropriate library functions providedby the operating system of the client to allocate the required memoryspace for the executable code of the target software. For example, asdescribed above, “malloc” is a standard library function of both C andC++ programming languages for allocating dynamic memory space. ForMicrosoft Windows platforms, “VirtualAlloc” is a Win32 library functionfor reserving a region of pages in the virtual address space. Once thememory has been allocated, the stub may invoke appropriate libraryfunctions to set the flag for the allocated memory space as“executable”, which indicates to the operating system that the datastored in the allocated memory are executable code. For example, withMicrosoft Windows, the attribute “PAGE_EXECUTE”, “PAGE_EXECUTE_READ”,“PAGE_EXECUTE_READWRITE”, or “PAGE_EXECUTE_WRITECOPY” may be specifiedin connection with the memory allocation (e.g., using “VirtualAlloc”) toask the operating system for a sufficient amount of virtual memory thathas the right for executing code, and operationally with the rights forreading or writing code.

In particular embodiments, the stub may load the executable code of thetarget software directly into the allocated memory (e.g., the allocateddynamic memory) without having to save or install the executable code ofthe target software on the hard drive of the client, as illustrated instep 210. In particular embodiments, the stub may invoke appropriatelibrary functions provided by the operating system of the client or thesoftware libraries on the client to copy the binary data representingthe executable code of the target software directly into the allocatedvirtual or dynamic memory space. For example, with Microsoft Windows,“CopyMemory” is a function for copying a block of memory from onelocation to another location; and “memcpy” is a standard libraryfunction of both C and C++ programming languages for copying data fromone memory location to another memory location.

In particular embodiments, the target software may require certainlibrary functions. If a required library function already exists on theclient, the stub may load the shared library containing the requiredlibrary function for the target software. For example, with MicrosoftWindows, a shared library (e.g., a DLL) may be loaded using the“LoadLibrary” function. On the other hand, if a required libraryfunction does not exist on the client, the stub may download the sharedlibrary containing the required library function or the required libraryfunction by itself from an appropriate server, allocate virtual memoryfor the shared library or the required library function, and write theshared library or the required library function in the allocated virtualmemory so that the target software may use the library function whenneeded. In other words, for those resources (e.g., library functions)needed by the target software during its execution, if the resourcesalready exist on the client, the resources on the client are used; andif the resources do not exist on the client, the stub download theresources for the target software.

In particular embodiments, the stub may also adjust a branch table, alsoreferred to as a jump table, to include the information concerning theexecutable code of the target software loaded in the allocated memory.This process may be referred to as a “fix-up” process. A branch table isan efficient method of transferring program control from one part toanother part of a program or from one program to another program. Byadjusting the appropriate branch table entries, the operating system maybe made aware of the executable code of the software now loaded in theallocated memory.

The actual steps that are performed during a fix-up process may varydepending on the platform or the operating system of the client. Forexample, with Microsoft Windows platform, an executable format typicallyhas a relocation table and an import table. In general, the executablecode is linked assuming it will be loaded to a fixed address. In orderto load the executable code into a different address, any absoluteaddresses used by the executable code are found and “fixed-up” to caterfor the change in the base address. This may be achieved using therelocation table. In particular embodiments, the relocation tablecompiles a list of all of the absolute addresses within the executablecode such that they may be fixed up when the executable code is loaded.The import table lists the absolute addresses of all of the routinesthat the executable code may call. This may include both API routinesand routines in other dynamic-link libraries (DLLs). These importaddresses are replaced with the actual addresses of the routines withinthe address space of the current process. The import table is a list ofthe location of these addresses within the executable code (theaddresses may be within a jump table or trampoline area, but also may bea list of data for indirect calls).

Particular embodiments may take advantage of the Portable Executable(PE) format, which is a file format for executables, object code, andDLLs used in Microsoft Windows operating systems. The PE format isversatile in numerous environments of operating system softwarearchitecture. Generally, the PE format is a data structure thatencapsulates the information necessary for the Microsoft Windowsoperating system loader to manage the wrapped executable code.Particular embodiments may compile and save the executable code of thesoftware using the PE format. For other platforms, implementations ofthe invention may operate with raw executable code that requires asingle entry point without any fixups. In some implementations, the rawexecutable code can be configured to perform the fixups itself and cancover such code as ELF and MACH-O.

In particular embodiments, the target software may be executed on theclient, as illustrated in step 212. In particular embodiments, theexecutable code of the target software may be launched directly from theallocated dynamic memory in which it is stored. In particularembodiments, the stub may cause the executable code of the targetsoftware loaded in the allocated memory to begin execution.Consequently, the stub may transfer the execution to the targetsoftware.

In particular embodiments, the stub may pass the socket, or moreprecisely, the Internet socket or the network socket, associated withthe network connection between the client and the server and the datastream to the target software that is now being executed on the client,as illustrated in 214. Network sockets constitute a mechanism fordelivering incoming data packets to the appropriate application processor thread. By passing the network socket associated with the data streamto the target software, the target software may now receive theadditional data packets that contain the additional data in the secondportion of the data stream. The target software may then consume (e.g.,process) the additional data contained in the second portion of the datastream. In particular embodiments, the stub may invoke appropriatelibrary functions provided by the operating system of the client to passthe network socket to the now executing target software. For example,the Windows Sockets Application Programming Interface (API), alsoreferred to as Winsock, enables a network socket to be passed from oneprocess to another using the “WSADuplicateSocket” function.

The target software may continue its execution until it is completed. Inparticular embodiments, once the target software has completed itsexecution (i.e., has exited), the dynamic memory space used to load theexecutable code of the target software program may be de-allocated(e.g., by the operating system of the client). For example, withMicrosoft Windows, the “VirtualFree” function may be invoked to free upthe allocated memory where the excitable code of the target software isstored. Subsequently, this memory space may be used for other purposesand other data may be loaded into the same memory space, overriding theexecutable code of the target software. At this point, the targetsoftware no longer exits on the client without any state changes toclient (e.g., no files on a drive, no system registry changes, etc.)because it was installed by the stub directly into memory and not storedin any persistent media on the client including, in some embodiments,the browser cache or other temporary data storage mechanisms.

In some embodiments, a first executable code object embedded in thestream and launched by the stub may itself cause another process to begenerated by requesting another data stream that also includes a secondexecutable code object. The second executable code object may belaunched as a child process of the first executable code object andshare the same sand-boxed file system generated by the first executablecode object. For example, the first executable code object may be avirtual machine that allows one or more second executable code objectsto run entirely in memory and sand-boxed by the first virtual machinecode object. In particular implementation, for example, writes to a datastorage subsystem by the second code object are written by the virtualmachine into memory, not a peripheral device which could be analyzedwhen a user logs off the client. For example, this embodiment can beused to allow for demonstration versions of software in that the firstexecutable code object may be a virtual machine that sandboxes a secondprogram to be demonstrated or tested. As discussed above, when the firstand second executable code objects end, all traces of them in memory aregone. The foregoing embodiment can also be used to prevent unauthorizedaccess to data that is typically cached during application execution.

Particular embodiments may be implemented in a network environment. FIG.3 illustrates an example network environment 300. Network environment300 includes a network 310 coupling one or more servers 320 and one ormore clients 330 to each other. In particular embodiments, network 310is an intranet, an extranet, a virtual private network (VPN), a localarca network (LAN), a wireless LAN (WLAN), a wide area network (WAN), ametropolitan area network (MAN), a portion of the Internet, or anothernetwork 310 or a combination of two or more such networks 310. Thisdisclosure contemplates any suitable network 310.

One or more links 350 couple a server 320 or a client 330 to network310. In particular embodiments, one or more links 350 each includes oneor more wireline, wireless, or optical links 350. In particularembodiments, one or more links 350 each includes an intranet, anextranet, a VPN, a LAN, a WLAN, a WAN, a MAN, a portion of the Internet,or another link 350 or a combination of two or more such links 350. Thisdisclosure contemplates any suitable links 350 coupling servers 320 andclients 330 to network 310.

In particular embodiments, each server 320 may be a unitary server ormay be a distributed server spanning multiple computers or multipledatacenters. Servers 320 may be of various types, such as, for exampleand without limitation, web server, news server, mail server, messageserver, advertising server, file server, application server, exchangeserver, database server, or proxy server. In particular embodiments,each server 320 may include hardware, software, or embedded logiccomponents or a combination of two or more such components for carryingout the appropriate functionalities implemented or supported by server320. For example, a web server is generally capable of hosting websitescontaining web pages or particular elements of web pages. Morespecifically, a web server may host HTML files or other file types, ormay dynamically create or constitute files upon a request, andcommunicate them to clients 330 in response to HTTP or other requestsfrom clients 330. A mail server is generally capable of providingelectronic mail services to various clients 330. A database server isgenerally capable of providing an interface for managing data stored inone or more data stores.

In particular embodiments, the executable code of a stub 322 and theexecutable code of a piece of software 324 may reside on a server 320.They may be downloaded to a client 330 for execution without being savedor installed on client 330. While they are being executed on client 330,they exit in the virtual memory on client 330. After their executionsare completed, they are removed from client 330 when the virtual memoryis freed up, thus leaving no trace on client 330.

In particular embodiments, one or more data storages 340 may becommunicatively linked to one or more severs 320 via one or more links350. In particular embodiments, data storages 340 may be used to storevarious types of information. In particular embodiments, the informationstored in data storages 340 may be organized according to specific datastructures. In particular embodiment, each data storage 340 may be arelational database. Particular embodiments may provide interfaces thatenable servers 320 or clients 330 to manage, e.g., retrieve, modify,add, or delete, the information stored in data storage 340.

In particular embodiments, each client 330 may be an electronic deviceincluding hardware, software, or embedded logic components or acombination of two or more such components and capable of carrying outthe appropriate functionalities implemented or supported by client 330.For example and without limitation, a client 330 may be a desktopcomputer system, a notebook computer system, a netbook computer system,a handheld electronic device, or a mobile telephone. This disclosurecontemplates any suitable clients 330. A client 330 may enable a networkuser at client 330 to access network 330. A client 330 may enable itsuser to communicate with other users at other clients 330.

A client 330 may have a web browser 332, such as MICROSOFT INTERNETEXPLORER, GOOGLE CHROME or MOZILLA FIREFOX, and may have one or moreadd-ons, plug-ins, or other extensions, such as TOOLBAR or YAHOOTOOLBAR. A user at client 330 may enter a Uniform Resource Locator (URL)or other address directing the web browser 332 to a server 320, and theweb browser 332 may generate a Hyper Text Transfer Protocol (HTTP)request and communicate the HTTP request to server 320. Server 320 mayaccept the HTTP request and communicate to client 330 one or more HyperText Markup Language (HTML) files responsive to the HTTP request. Client330 may render a web page based on the HTML files from server 320 forpresentation to the user. This disclosure contemplates any suitable webpage files. As an example and not by way of limitation, web pages mayrender from HTML files, Extensible Hyper Text Markup Language (XHTML)files, or Extensible Markup Language (XML) files, according toparticular needs. Such pages may also execute scripts such as, forexample and without limitation, those written in JAVASCRIPT, JAVA,MICROSOFT SILVERLIGHT, combinations of markup language and scripts suchas AJAX (Asynchronous JAVASCRIPT and XML), and the like. Herein,reference to a web page encompasses one or more corresponding web pagefiles (which a browser may use to render the web page) and vice versa,where appropriate.

Particular embodiments may be implemented on one or more computersystems. FIG. 4 illustrates an example computer system 400. Inparticular embodiments, one or more computer systems 400 perform one ormore steps of one or more methods described or illustrated herein. Inparticular embodiments, one or more computer systems 400 providefunctionality described or illustrated herein. In particularembodiments, software running on one or more computer systems 400performs one or more steps of one or more methods described orillustrated herein or provides functionality described or illustratedherein. Particular embodiments include one or more portions of one ormore computer systems 400.

This disclosure contemplates any suitable number of computer systems400. This disclosure contemplates computer system 400 taking anysuitable physical form. As example and not by way of limitation,computer system 400 may be an embedded computer system, a system-on-chip(SOC), a single-board computer system (SBC) (such as, for example, acomputer-on-module (COM) or system-on-module (SOM)), a desktop computersystem, a laptop or notebook computer system, an interactive kiosk, amainframe, a mesh of computer systems, a mobile telephone, a personaldigital assistant (PDA), a server, or a combination of two or more ofthese. Where appropriate, computer system 400 may include one or morecomputer systems 400; be unitary or distributed; span multiplelocations; span multiple machines; or reside in a cloud, which mayinclude one or more cloud components in one or more networks. Whereappropriate, one or more computer systems 400 may perform withoutsubstantial spatial or temporal limitation one or more steps of one ormore methods described or illustrated herein. As an example and not byway of limitation, one or more computer systems 400 may perform in realtime or in batch mode one or more steps of one or more methods describedor illustrated herein. One or more computer systems 400 may perform atdifferent times or at different locations one or more steps of one ormore methods described or illustrated herein, where appropriate.

In particular embodiments, computer system 400 includes a processor 402,memory 404, storage 406, an input/output (I/O) interface 408, acommunication interface 410, and a bus 412. Although this disclosuredescribes and illustrates a particular computer system having aparticular number of particular components in a particular arrangement,this disclosure contemplates any suitable computer system having anysuitable number of any suitable components in any suitable arrangement.

In particular embodiments, processor 402 includes hardware for executinginstructions, such as those making up a computer program. As an exampleand not by way of limitation, to execute instructions, processor 402 mayretrieve (or fetch) the instructions from an internal register, aninternal cache, memory 404, or storage 406; decode and execute them; andthen write one or more results to an internal register, an internalcache, memory 404, or storage 406. In particular embodiments, processor402 may include one or more internal caches for data, instructions, oraddresses. This disclosure contemplates processor 402 including anysuitable number of any suitable internal caches, where appropriate. Asan example and not by way of limitation, processor 402 may include oneor more instruction caches, one or more data caches, and one or moretranslation lookaside buffers (TLBs). Instructions in the instructioncaches may be copies of instructions in memory 404 or storage 406, andthe instruction caches may speed up retrieval of those instructions byprocessor 402. Data in the data caches may be copies of data in memory404 or storage 406 for instructions executing at processor 402 tooperate on; the results of previous instructions executed at processor402 for access by subsequent instructions executing at processor 402 orfor writing to memory 404 or storage 406; or other suitable data. Thedata caches may speed up read or write operations by processor 402. TheTLBs may speed up virtual-address translation for processor 402. Inparticular embodiments, processor 402 may include one or more internalregisters for data, instructions, or addresses. This disclosurecontemplates processor 402 including any suitable number of any suitableinternal registers, where appropriate. Where appropriate, processor 402may include one or more arithmetic logic units (ALUs); be a multi-coreprocessor; or include one or more processors 402. Although thisdisclosure describes and illustrates a particular processor, thisdisclosure contemplates any suitable processor.

In particular embodiments, memory 404 includes main memory for storinginstructions for processor 402 to execute or data for processor 402 tooperate on. As an example and not by way of limitation, computer system400 may load instructions from storage 406 or another source (such as,for example, another computer system 400) to memory 404. Processor 402may then load the instructions from memory 404 to an internal registeror internal cache. To execute the instructions, processor 402 mayretrieve the instructions from the internal register or internal cacheand decode them. During or after execution of the instructions,processor 402 may write one or more results (which may be intermediateor final results) to the internal register or internal cache. Processor402 may then write one or more of those results to memory 404. Inparticular embodiments, processor 402 executes only instructions in oneor more internal registers or internal caches or in memory 404 (asopposed to storage 406 or elsewhere) and operates only on data in one ormore internal registers or internal caches or in memory 404 (as opposedto storage 406 or elsewhere). One or more memory buses (which may eachinclude an address bus and a data bus) may couple processor 402 tomemory 404. Bus 412 may include one or more memory buses, as describedbelow. In particular embodiments, one or more memory management units(MMUs) reside between processor 402 and memory 404 and facilitateaccesses to memory 404 requested by processor 402. In particularembodiments, memory 404 includes random access memory (RAM). This RAMmay be volatile memory, where appropriate Where appropriate, this RAMmay be dynamic RAM (DRAM) or static RAM (SRAM). Moreover, whereappropriate, this RAM may be single-ported or multi-ported RAM. Thisdisclosure contemplates any suitable RAM. Memory 404 may include one ormore memories 404, where appropriate. Although this disclosure describesand illustrates particular memory, this disclosure contemplates anysuitable memory.

In particular embodiments, storage 406 includes mass storage for data orinstructions. As an example and not by way of limitation, storage 406may include an HDD, a floppy disk drive, flash memory, an optical disc,a magneto-optical disc, magnetic tape, or a Universal Serial Bus (USB)drive or a combination of two or more of these. Storage 406 may includeremovable or non-removable (or fixed) media, where appropriate. Storage406 may be internal or external to computer system 400, whereappropriate. In particular embodiments, storage 406 is non-volatile,solid-state memory. In particular embodiments, storage 406 includesread-only memory (ROM). Where appropriate, this ROM may bemask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM),electrically erasable PROM (EEPROM), electrically alterable ROM (EAROM),or flash memory or a combination of two or more of these. Thisdisclosure contemplates mass storage 406 taking any suitable physicalform. Storage 406 may include one or more storage control unitsfacilitating communication between processor 402 and storage 406, whereappropriate. Where appropriate, storage 406 may include one or morestorages 406. Although this disclosure describes and illustratesparticular storage, this disclosure contemplates any suitable storage.

In particular embodiments, I/O interface 408 includes hardware,software, or both providing one or more interfaces for communicationbetween computer system 400 and one or more I/O devices. Computer system400 may include one or more of these I/O devices, where appropriate. Oneor more of these I/O devices may enable communication between a personand computer system 400. As an example and not by way of limitation, anI/O device may include a keyboard, keypad, microphone, monitor, mouse,printer, scanner, speaker, still camera, stylus, tablet, touch screen,trackball, video camera, another suitable I/O device or a combination oftwo or more of these. An I/O device may include one or more sensors.This disclosure contemplates any suitable I/O devices and any suitableI/O interfaces 408 for them. Where appropriate, I/O interface 408 mayinclude one or more device or software drivers enabling processor 402 todrive one or more of these I/O devices. I/O interface 408 may includeone or more I/O interfaces 408, where appropriate. Although thisdisclosure describes and illustrates a particular I/O interface, thisdisclosure contemplates any suitable I/O interface.

In particular embodiments, communication interface 410 includeshardware, software, or both providing one or more interfaces forcommunication (such as, for example, packet-based communication) betweencomputer system 400 and one or more other computer systems 400 or one ormore networks. As an example and not by way of limitation, communicationinterface 410 may include a network interface controller (NIC) ornetwork adapter for communicating with an Ethernet or other wire-basednetwork or a wireless NIC (WNIC) or wireless adapter for communicatingwith a wireless network, such as a WI-FI network. This disclosurecontemplates any suitable network and any suitable communicationinterface 410 for it. As an example and not by way of limitation,computer system 400 may communicate with an ad hoc network, a personalarea network (PAN), a local area network (LAN), a wide area network(WAN), a metropolitan area network (MAN), or one or more portions of theInternet or a combination of two or more of these. One or more portionsof one or more of these networks may be wired or wireless. As anexample, computer system 400 may communicate with a wireless PAN (WPAN)(such as, for example, a BLUETOOTH WPAN), a WI-FI network, a WI-MAXnetwork, a cellular telephone network (such as, for example, a GlobalSystem for Mobile Communications (GSM) network), or other suitablewireless network or a combination of two or more of these. Computersystem 400 may include any suitable communication interface 410 for anyof these networks, where appropriate. Communication interface 410 mayinclude one or more communication interfaces 410, where appropriate.Although this disclosure describes and illustrates a particularcommunication interface, this disclosure contemplates any suitablecommunication interface.

In particular embodiments, bus 412 includes hardware, software, or bothcoupling components of computer system 400 to each other. As an exampleand not by way of limitation, bus 412 may include an AcceleratedGraphics Port (AGP) or other graphics bus, an Enhanced Industry StandardArchitecture (EISA) bus, a front-side bus (FSB), a HYPERTRANSPORT (HT)interconnect, an Industry Standard Architecture (ISA) bus, an INFINIBANDinterconnect, a low-pin-count (LPC) bus, a memory bus, a Micro ChannelArchitecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, aPCI-Express (PCI-X) bus, a serial advanced technology attachment (SATA)bus, a Video Electronics Standards Association local (VLB) bus, oranother suitable bus or a combination of two or more of these. Bus 412may include one or more buses 412, where appropriate. Although thisdisclosure describes and illustrates a particular bus, this disclosurecontemplates any suitable bus or interconnect.

Herein, reference to a computer-readable storage medium encompasses oneor more non-transitory, tangible computer-readable storage mediapossessing structure. As an example and not by way of limitation, acomputer-readable storage medium may include a semiconductor-based orother integrated circuit (IC) (such, as for example, afield-programmable gate array (FPGA) or an application-specific IC(ASIC)), a hard disk, an HDD, a hybrid hard drive (HHD), an opticaldisc, an optical disc drive (ODD), a magneto-optical disc, amagneto-optical drive, a floppy disk, a floppy disk drive (FDD),magnetic tape, a holographic storage medium, a solid-state drive (SSD),a RAM-drive, a SECURE DIGITAL card, a SECURE DIGITAL drive, or anothersuitable computer-readable storage medium or a combination of two ormore of these, where appropriate. Herein, reference to acomputer-readable storage medium excludes any medium that is noteligible for patent protection under 35 U.S.C. § 101. Herein, referenceto a computer-readable storage medium excludes transitory forms ofsignal transmission (such as a propagating electrical or electromagneticsignal per se) to the extent that they are not eligible for patentprotection under 35 U.S.C. § 101. A computer-readable non-transitorystorage medium may be volatile, non-volatile, or a combination ofvolatile and non-volatile, where appropriate.

This disclosure contemplates one or more computer-readable storage mediaimplementing any suitable storage. In particular embodiments, acomputer-readable storage medium implements one or more portions ofprocessor 402 (such as, for example, one or more internal registers orcaches), one or more portions of memory 404, one or more portions ofstorage 406, or a combination of these, where appropriate. In particularembodiments, a computer-readable storage medium implements RAM or ROM.In particular embodiments, a computer-readable storage medium implementsvolatile or persistent memory. In particular embodiments, one or morecomputer-readable storage media embody software. Herein, reference tosoftware may encompass one or more applications, bytecode, one or morecomputer programs, one or more executables, one or more instructions,logic, machine code, one or more scripts, or source code, and viceversa, where appropriate. In particular embodiments, software includesone or more application programming interfaces (APIs). This disclosurecontemplates any suitable software written or otherwise expressed in anysuitable programming language or combination of programming languages.In particular embodiments, software is expressed as source code orobject code. In particular embodiments, software is expressed in ahigher-level programming language, such as, for example, C, Perl, or asuitable extension thereof. In particular embodiments, software isexpressed in a lower-level programming language, such as assemblylanguage (or machine code). In particular embodiments, software isexpressed in JAVA. In particular embodiments, software is expressed inHyper Text Markup Language (HTML), Extensible Markup Language (XML), orother suitable markup language.

Herein, “or” is inclusive and not exclusive, unless expressly indicatedotherwise or indicated otherwise by context. Therefore, herein, “A or B”means “A, B, or both,” unless expressly indicated otherwise or indicatedotherwise by context. Moreover, “and” is both joint and several, unlessexpressly indicated otherwise or indicated otherwise by context.Therefore, herein, “A and B” means “A and B, jointly or severally,”unless expressly indicated otherwise or indicated otherwise by context.

This disclosure encompasses all changes, substitutions, variations,alterations, and modifications to the example embodiments herein that aperson having ordinary skill in the art would comprehend. Similarly,where appropriate, the appended claims encompass all changes,substitutions, variations, alterations, and modifications to the exampleembodiments herein that a person having ordinary skill in the art wouldcomprehend. Moreover, reference in the appended claims to an apparatusor system or a component of an apparatus or system being adapted to,arranged to, capable of, configured to, enabled to, operable to, oroperative to perform a particular function encompasses that apparatus,system, component, whether or not it or that particular function isactivated, turned on, or unlocked, as long as that apparatus, system, orcomponent is so adapted, arranged, capable, configured, enabled,operable, or operative.

1-30. (canceled)
 31. A method comprising: establishing, by a processoron a client, a network connection between the client and a server;receiving, by the processor over the network connection, a data streamfrom the server, the data stream having at least an executable code of asoftware program embedded therein; validating, by the processor, theexecutable code of the software program embedded in the data stream;upon validating the executable code of the software program, allocating,by the processor, memory on the client for loading and executing theexecutable code of the software program; writing, by the processor, theexecutable code of the software program into the allocated memory;launching, by the processor, the executable code of the software programfrom the allocated memory; and passing, by the processor, a socketassociated with the network connection and the data stream to thesoftware program that is executed on the client configured to extractadditional data in the data stream for executing the software program.32. The method of claim 31, wherein establishing the network connectionis by taking over an existing connection already established between theclient and the server.
 33. The method of claim 32, wherein the existingconnection already established between the client and the server is aconnection established by a web browser.
 34. The method of claim 31,wherein establishing the network connection is by establishing a newconnection.
 35. The method of claim 34, wherein establishing a newnetwork connection comprises: sending, by the processor, a connectionrequest to the server; receiving, by the processor, a response from theserver indicating whether the connection request is accepted orrejected; and upon receiving the response indicating that the server hasaccepted the connection request, establishing, by the processor, thenetwork connection between the client and the server.
 36. The method ofclaim 35, wherein a communication between the client and the server isby applying a communication protocol selected from a group ofcommunication protocols consisting of Hypertext Transfer Protocol(HTTP), User Datagram Protocol (UDP), and Transport Control Protocol(TCP).
 37. The method of claim 31, wherein multiple versions of multiplesoftware programs are stored on the server and configured to bedownloaded by the client.
 38. The method of claim 31, wherein a versionof the software program is identified by a unique identifier.
 39. Themethod of claim 31, wherein establishing the network connection is via astub executing on the client.
 40. The method of claim 31, wherein aversion of the software program is downloaded by a stub executing on theclient.
 41. The method of claim 31, wherein the executable code of thesoftware program is embedded in the data stream as one or more datapackets.
 42. The method of claim 31, wherein the data stream includes afirst portion of the data stream that contains the executable code ofthe software program and a second portion of the data stream thatcontains the additional data configured to be consumed by the softwareprogram during its execution.
 43. The method of claim 42, wherein theexecutable code of the software program of the first portion of the datastream is compressed.
 45. The method of claim 43, further comprising:upon receiving the data stream, accessing, by the processor, the firstportion of the data stream to extract the executable code of thesoftware program via decompressing the extracted executable code of thesoftware program.
 46. The method of claim 31, wherein the socket is anetwork socket configured to deliver incoming data packets to anappropriate application process or thread.
 47. The method of claim 42,wherein the executable code of the software program from the firstportion of the data stream launched by the processor causes anotherprocess to be generated by requesting the second portion of the datastream to be launched as a child process.
 48. A system, comprising: amemory comprising instructions executable by one or more processors; andone or more processors coupled to the memory and operable to execute theinstructions, the memory comprising instructions for: establishing, on aclient, a network connection between the client and a server; receiving,over the network connection, a data stream from the server, the datastream having at least an executable code of a software program embeddedtherein; validating the executable code of the software program embeddedin the data stream; upon validating the executable code of the softwareprogram, allocating memory on the client for loading and executing theexecutable code of the software program; writing the executable code ofthe software program into the allocated memory; launching the executablecode of the software program from the allocated memory; and passing asocket associated with the network connection and the data stream to thesoftware program that is executed on the client configured to extractadditional data in the data stream for executing the software program.49. The system recited in claim 48, wherein the instructions forestablishing the network connection is by establishing a new connection,comprising: sending a connection request to the server; receiving aresponse from the server indicating whether the connection request isaccepted or rejected; and upon receiving the response indicating thatthe server has accepted the connection request, establishing the networkconnection between the client and the server.
 50. One or morecomputer-readable storage media embodying software operable whenexecuted by a computer system to: establish, on a client, a networkconnection between the client and a server; receive, over the networkconnection, a data stream from the server, the data stream having atleast an executable code of a software program embedded therein;validate the executable code of the software program embedded in thedata stream; upon validate the executable code of the software program,allocate memory on the client for loading and executing the executablecode of the software program; write the executable code of the softwareprogram into the allocated memory; launch the executable code of thesoftware program from the allocated memory; and pass a socket associatedwith the network connection and the data stream to the software programthat is executed on the client configured to extract additional data inthe data stream for executing the software program.